CPO甲方首席防坑官

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent procurement and project-risk guidance assistant, with no evidence of hidden execution, credential use, exfiltration, or destructive behavior.

Installers should treat this as a business advisory skill, not legal or financial counsel. Avoid entering unde-identified personal data or confidential deal terms, and be aware that opening the HTML report template may load third-party web resources.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill instructions direct the agent to read multiple local reference files and to produce an HTML report from a local template, while the metadata apparently does not declare corresponding permissions. This mismatch can lead to unauthorized file operations or hidden capability use, which weakens sandboxing and review controls even if the apparent purpose is business guidance rather than overtly malicious behavior.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: A skill whose declared purpose is user-facing project risk-control advice but which also generates self-evaluation artifacts, writes static HTML files to disk, and emits hardcoded demo reports exhibits a material behavior mismatch. That creates a trust and containment problem: operators may approve it for benign advisory use while it performs unrelated local side effects and non-user-driven content generation.

Context-Inappropriate Capability

Low

Confidence: 95% confidence
Finding: The template loads third-party JavaScript and font assets from external CDNs, which creates a supply-chain and privacy risk: anyone rendering the report will make network requests to external domains, and compromised CDN content could execute in the report context. In this skill’s context, a static reporting template for procurement/risk analysis does not require live third-party code at runtime, so the dependency is unnecessary and increases exposure.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad, generic requests such as requirement deconstruction and project implementation, which can overlap with ordinary user conversations and cause the skill to activate outside its intended scope. In an agent environment, this increases the chance of unintended invocation, context hijacking, or the skill influencing responses in situations where its legal/procurement guidance is not appropriate.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases are broad, natural-language expressions such as '帮我理理需求' and '怎么防坑', which can easily appear in ordinary conversation and unintentionally activate the skill. In an agent environment, over-broad invocation can cause unsolicited domain-specific guidance, context switching, or unintended processing of sensitive project/procurement information.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger list contains broad, common-language phrases such as general requests for help, planning, risk avoidance, or project acceptance, which can cause the skill to activate unintentionally in unrelated conversations. Overbroad activation is dangerous because it can insert file-reading/report-generation behavior into contexts where the user did not intend to invoke this skill, increasing the chance of unauthorized data access or confusing outputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal